Sprint fed customer GPS data to cops over 8 million times

A blogger has released audio of Sprint's Electronic Surveillance Manager …

Christopher Soghoian, a graduate student at Indiana University's School of Informatics and Computing, has made public an audio recording of Sprint/Nextel's Electronic Surveillance Manager describing how his company has provided GPS location data about its wireless customers to law enforcement over 8 million times. That's potentially millions of Sprint/Nextel customers who not only were probably unaware that their wireless provider even had an Electronic Surveillance Department, but who certainly did not know that law enforcement offers could log into a special Sprint Web portal and, without ever having to demonstrate probable cause to a judge, gain access to geolocation logs detailing where they've been and where they are.

Through a mix of documents unearthed by Freedom of Information Act requests and the aforementioned recording, Soghoian describes how "the government routinely obtains customer records from ISPs detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and geolocation data, detailing exactly where an individual was located at a particular date and time."

The fact that federal, state, and local law enforcement can obtain communications "metadata"—URLs of sites visited, e-mail message headers, numbers dialed, GPS locations, etc.—without any real oversight or reporting requirements should be shocking, but it isn't. The courts ruled in 2005 that law enforcement doesn't need to show probable cause to obtain your physical location via the cell phone grid. All of the aforementioned metadata can be accessed with an easy-to-obtain pen register/trap & trace order. But given the volume of requests, it's hard to imagine that the courts are involved in all of these.

Soghoian's lengthy post makes at least two important points, the first of which is that there are no reliable statistics on the real volume and scope of government surveillance because such numbers are either not published (sometimes in violation of the legally mandated reporting requirements) or they contain huge gaps. The second point is that the lack of reporting makes it difficult to determine just how involved the courts actually are in all of this, in terms of whether these requests are all backed by subpoenas.

Underlying both of these issues is the fact that Sprint has made it so easy for law enforcement to gain access to customer data on a 24/7 basis through the use of its Web portal and large compliance department. Regarding the latter, here's another quote from Paul Taylor, the aforementioned Sprint/Nextel Electronic Surveillance Manager:

"In the electronic surveillance group at Sprint, I have 3 supervisors. 30 ES techs, and 15 contractors. On the subpoena compliance side, which is anything historical, stored content, stored records, is about 35 employees, maybe 4-5 supervisors, and 30 contractors. There's like 110 all together."

All of those people are there solely to serve up customer data to law enforcement, and other comments by Taylor indicate that his staff will probably grow. Sprint only recently made the GPS data available through the Web portal, and that has caused the number of requests to go through the roof. The company apparently plans on expanding the menu of surveillance options that are accessible via the Web. Taylor again:

"[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just [because of] the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in."

I'm sure they'll find some way to deal with the "millions and millions" of warrantless surveillance requests, and no one will bother to even curb the practice, much less stop it. I've been reporting on this exact metadata/surveillance issue for years now, and it just gets worse. The stressed, jobless, indebted public doesn't care, and Congress doesn't either. If I'm still on this beat in 5 years, I'm sure I'll still be rewriting this same story for the thousandth time.

I'm wondering if the request count is so high because they're observing people outside of the country, observing people they shouldn't, or if retrieving a stream of data (live tracking via GPS) counts as more than one request.

Originally posted by Tornadus:I'm wondering if the request count is so high because they're observing people outside of the country, observing people they shouldn't, or if retrieving a stream of data (live tracking via GPS) counts as more than one request.

Since this is just 8 million queries to Sprint (an American phone company, at last check), I highly doubt it. I'm wondering if they don't make similar requests to other phone companies, meaning the number would be much higher.

Originally posted by Tornadus:I'm wondering if the request count is so high because they're observing people outside of the country, observing people they shouldn't, or if retrieving a stream of data (live tracking via GPS) counts as more than one request.

Since this is just 8 million queries to Sprint (an American phone company, at last check), I highly doubt it. I'm wondering if they don't make similar requests to other phone companies, meaning the number would be much higher.

It's suspected, by more level heads, that these queries are associated with a much smaller number of initial requests, and represent (essentially) refreshes that pull down current data. Not, as some suspect, 8 million queries of unique individuals.

Originally posted by Tornadus:I'm wondering if the request count is so high because they're observing people outside of the country, observing people they shouldn't, or if retrieving a stream of data (live tracking via GPS) counts as more than one request.

Since this is just 8 million queries to Sprint (an American phone company, at last check), I highly doubt it. I'm wondering if they don't make similar requests to other phone companies, meaning the number would be much higher.

It's suspected, by more level heads, that these queries are associated with a much smaller number of initial requests, and represent (essentially) refreshes that pull down current data. Not, as some suspect, 8 million queries of unique individuals.

Level heads? How about suckers? Do the math on 8 million "refreshes" and tell me what you think is a reasonable number. If you pick a number at random, say 64,000, then that's 125 refreshes in four years which is roughly a refresh every 12 days. But it's not 64,000, it's more, because at some point you either go and get a warrant for an actual wiretap or you drop the case at which point you no longer use this handy dandy civil rights infringer.

I can just see it now...Frank is a cop. His neighbor, Bob, says "Hey Frank, I think my wife is cheating on me".Frank takes him to his computer, logs into the site, and pulls up his wife's whereabouts for the last few evenings.Bob and Frank are great friends, so the next thing you know, Frank is harassing the crap out of the poor sod who was doing Bob's wife.Or even worse, Frank thinks his own wife is cheating on him, tracks down the poor bastard she's seeing, and blows him away in a fit of jealous rage.Without some really good oversight (like the need for a warrant), this system is wide open for abuse.

A huge part of the problem is the fact that our current privacy laws are completely outdated. Law enforcement agencies can request geolocation data and other private information from companies with little or no court oversight, and the customer is unlikely to ever even know that their information was disclosed.

You can read more about the issue at our Location Information page here: http://tr.im/GkQT.

Well people... everything discussed (except for some of the lapses related to reporting) is completely legal -- at least under current precedent. The courts ruled this is no different than law enforcement actually following you (completely legal) or getting a list of phone numbers you dialed (which also falls into the same meta-data zone).

IMHO, there are two reasonable reactions to this:

1) "That's how they catch bad guys. Keep up the good work law enforcement."

Unfortunately, the latter is all too often the reaction to an article like this.

One last point, I'd like more data about these 8 million requests before I get all worked up. How many individuals does this actually represent? Even if it means a few million individuals (remember, you have to assume the other wireless companies have something similar), who are those individuals? Just to give one stat, there are 5 million people on probation/parole in the U.S. right now. How many of these are probation officers checking up on their charges?

Or another question: How accurate is GPS data like this? Is this really GPS data? or just location estimated by the tower? That can mean the difference between a few meters accuracy or hundreds of meters accuracy.

Or another question: If I'm carrying around a device which constantly broadcasts my approximate location, then why should I believe that data has any privacy associated with it?

Yup. The "critical" information being released is the price lists. That's the stuff that needs protection. But more level heads will tell you that what's really important is that the PS3 really spanks the Wii. Or, they just won't get it.

Originally posted by Chuckstar:Or another question: If I'm carrying around a device which constantly broadcasts my approximate location, then why should I believe that data has any privacy associated with it?

You just brought up a good point. If I have "Location Awareness" turned off on my cell phone (which I do), would any of this crap still work?

Originally posted by Tornadus:I'm wondering if the request count is so high because they're observing people outside of the country, observing people they shouldn't, or if retrieving a stream of data (live tracking via GPS) counts as more than one request.

Since this is just 8 million queries to Sprint (an American phone company, at last check), I highly doubt it. I'm wondering if they don't make similar requests to other phone companies, meaning the number would be much higher.

It's suspected, by more level heads, that these queries are associated with a much smaller number of initial requests, and represent (essentially) refreshes that pull down current data. Not, as some suspect, 8 million queries of unique individuals.

Most likely some smart cookie wrote something to regularly refresh for certain individuals to keep track of where they go. I have no idea how the system works though, so anything along those lines will be pure speculation.

It seems very unlikely it's 8 million individuals, Sprint only has some 40m odd customers.

Originally posted by Tornadus:I'm wondering if the request count is so high because they're observing people outside of the country, observing people they shouldn't, or if retrieving a stream of data (live tracking via GPS) counts as more than one request.

Since this is just 8 million queries to Sprint (an American phone company, at last check), I highly doubt it. I'm wondering if they don't make similar requests to other phone companies, meaning the number would be much higher.

It's suspected, by more level heads, that these queries are associated with a much smaller number of initial requests, and represent (essentially) refreshes that pull down current data. Not, as some suspect, 8 million queries of unique individuals.

Level heads? How about suckers? Do the math on 8 million "refreshes" and tell me what you think is a reasonable number. If you pick a number at random, say 64,000, then that's 125 refreshes in four years which is roughly a refresh every 12 days. But it's not 64,000, it's more, because at some point you either go and get a warrant for an actual wiretap or you drop the case at which point you no longer use this handy dandy civil rights infringer.

If you're tracking someone, presumably you will do multiple refreshes many more times than once a day.

Let's say you want to track someone's patterns of movement and get a refresh every 15 minutes

1 year = 365 days = 24 hours = 96 15 minute intervals

So, in one year, you get 840960 queries. That's under 10 people.

Now, is it likely that they followed 9.x people for the whole year? No, but I can see them following a couple hundred for a month each, which seems rational as an investigatory tool.

Originally posted by Chuckstar:Well people... everything discussed (except for some of the lapses related to reporting) is completely legal -- at least under current precedent. The courts ruled this is no different than law enforcement actually following you (completely legal) or getting a list of phone numbers you dialed (which also falls into the same meta-data zone).

Two points:

1) There is a universe of difference between this and having the cops follow you around. It is expensive to pay someone to conduct in person physical surveillance and that provides a serious check on some of the worst abuses.

2) Nobody is suggesting that this is a crime. The reason everyone is pissed off and complaining about this is BECAUSE it is legal. This is exhibit A in how screwed up current 4th amendment jurisprudence is.

Originally posted by Chuckstar:Or another question: If I'm carrying around a device which constantly broadcasts my approximate location, then why should I believe that data has any privacy associated with it?

You just brought up a good point. If I have "Location Awareness" turned off on my cell phone (which I do), would any of this crap still work?

Yes, it still works. Having "Location Awareness" disabled means that you can't call your carrier and ask where your phone is, or where your kids' phone is or whatever. The information is still available to law enforcement. Ostensibly for e911 purposes, but you know it's for this kind of surveillance too.

Or another question: If I'm carrying around a device which constantly broadcasts my approximate location, then why should I believe that data has any privacy associated with it?

It seems like there's a difference between a device that broadcasts your location because you want it to, and a device that broadcasts your location because somebody else wants it to. The only reason your phone should broadcast the data it collects through a GPS receiver is if you dial 911. GPS is passive. As for the towers triangulating your location so they know which tower to send your phone calls to, it seems like you could design it the other way around: Have the towers broadcast and your phone only talks to any of them if it can't hear the one it was last registered with, and only with enough power that the nearest tower can hear it so that the others can't triangulate you. It would save your battery that way too. If law enforcement wants to have that data then they can get a warrant.

And on that note, I'm going to add "VoIP software that routes through your home PC and provides that location to the network no matter where you really are unless you dial 911" to my list of stuff to write when I get around to it. Nobody hesitate to beat me to it now.

This isn't GPS data, this is a triangulated guess based on what tower(s) you're near. While I understand the editorial desire to make things easier to understand to a wider audience, it's not technically correct and furthers peoples' misunderstanding of these types of issues.

Originally posted by Tornadus:I'm wondering if the request count is so high because they're observing people outside of the country, observing people they shouldn't, or if retrieving a stream of data (live tracking via GPS) counts as more than one request.

Since this is just 8 million queries to Sprint (an American phone company, at last check), I highly doubt it. I'm wondering if they don't make similar requests to other phone companies, meaning the number would be much higher.

It's suspected, by more level heads, that these queries are associated with a much smaller number of initial requests, and represent (essentially) refreshes that pull down current data. Not, as some suspect, 8 million queries of unique individuals.

even if this is the case, there are only 365 days in a year so the number of unique individuals still has to be astronomical. and this is only sprint. i can't see at&t or other providers doing anything differently.

if someone told me this in conversation, i would NEVER have belived them. makes me wonder if i woke up in some alternate universe today.

i guess low tech is the only way to go if you whish to keep your business private.

Originally posted by ol1bit:That's it! I'm cutting the GPS out on my next Phone!

They can still triangulate your position without GPS simply by following the cell signal to a few towers in the area and measuring the signal strength. All fairly low tech stuff that's been available since they did it in the movie The Net with Sandra Bullock. Remember?? /sarcasm

Originally posted by Tornadus:I'm wondering if the request count is so high because they're observing people outside of the country, observing people they shouldn't, or if retrieving a stream of data (live tracking via GPS) counts as more than one request.

I'm also wondering about the nature of a refresh. Is one refresh able to contain all know tracking info. Such as:"give me the last 50 known locations of individual A"

It could be the case that one refresh will result in a lot of info that would reduce the amount of refreshes required per individual. And if this is so, the amount of tracked individuals could be pretty astronomical.

Originally posted by archon_1:This isn't GPS data, this is a triangulated guess based on what tower(s) you're near. While I understand the editorial desire to make things easier to understand to a wider audience, it's not technically correct and furthers peoples' misunderstanding of these types of issues.

And everyone is going to skip right over the point you made and rail against The Man.

quote:

I'm sure they'll find some way to deal with the "millions and millions" of warrantless surveillance requests, and no one will bother to even curb the practice, much less stop it.

Yep, unless they're doing something that they shouldn't be doing. To this citizen, it's pretty much a non-issue.

I don't really have a problem with tower triangulation because it is an inaccurate guesstimate unless the phone is in a very dense urban network. Where I live, I can "see" four ATT towers so the accuracy of finding me would be pretty good. But a few miles in any direction and the net widens considerably, especially if I'm only near a 2-quadrant cell site (most are 3 or 4).

That being said, if you don't want to be followed, just turn the damn phone off. It's easy. It boggles my mind that a criminal type would sign up for contract phone service anyway. Go to Wal-Mart and plunk down $30 cash on a Go Phone every few months and don't worry 'bout it.

quote:

Originally posted by GwT:Yep, unless they're doing something that they shouldn't be doing. To this citizen, it's pretty much a non-issue.

Would you be willing to share every aspect of your life online with us? Your bathing habits, your sex habits, your eating schedule? No? Me either. Then why would you let the government in to take notes if you're doing nothing wrong?

It's disturbing how quickly we as a nation have let the notion of a right to privacy slip away. “I've got nothing to hide so I don't mind them invading my privacy” is akin to “I never say anything controversial so I don't mind them curbing my freedom of speech.”

I'm sure they'll find some way to deal with the "millions and millions" of warrantless surveillance requests, and no one will bother to even curb the practice, much less stop it.

Yep, unless they're doing something that they shouldn't be doing. To this citizen, it's pretty much a non-issue.

Warrantless surveillance requests SHOULDN'T EVER be allowed, no matter what the reason!! The 4th Amendment seems to be non-existent these days!! It doesn't matter what someone is or isn't doing, the fact remains that the 4th Amendment is being skirted time and time again!!

Tracfone let me fire up a $20 phone on their network. When you activate it from their website, the first page asks for personal information (name, zip code, email addr) but look for the tiny link at the bottom of the page:

"If you wish to skip this step, please click here"

This allows you to use a phone with no personal info attached. Yes, they can tell my phone moved from town A to point B at such-and-such a time. But can they tell whose phone it is? NO! (And near my home there is only ONE cell tower serving over a hundred square miles so triangulation won't work.)

Why whine when you CHOOSE to carry the a device that tracks you personally? This shouldn't be a call to change the government (although I'm all for that!), this is a call to change your provider to one that respects your anonymity.

When Tracfones are made illegal (which they will be), then it will be time to march.

Originally posted by archon_1:This isn't GPS data, this is a triangulated guess based on what tower(s) you're near. While I understand the editorial desire to make things easier to understand to a wider audience, it's not technically correct and furthers peoples' misunderstanding of these types of issues.

And everyone is going to skip right over the point you made and rail against The Man.

quote:

I'm sure they'll find some way to deal with the "millions and millions" of warrantless surveillance requests, and no one will bother to even curb the practice, much less stop it.

Yep, unless they're doing something that they shouldn't be doing. To this citizen, it's pretty much a non-issue.

Put another way: if you've done nothing wrong, why do you need any rights at all?

It's time once more to bring out that old adage (seeing as people seem to trust these sorts of things more than anything I might say) coined by Benjamin Franklin, and it goes a little something like this; "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." Temporary Safety is, of course, "Security".Western societies (along with most if not all other major modern socities) long ago became surveillance states. That's the second most troubling thing about it all. The most troubling thing is that noone gives a fuck.So let's see:surveillance cameras in most if not all public places, check.acquistion of data by any agency with "authority" at their will, check.thought-crime, check (seen something suspicious? call the police).reversal, confusion and obfustication of language, check (what do you immediately think of when I say, for instance, the word "revolution"? Some people think socialism means almost the opposite of what it means. Remember ingsoc? Many other examples could be named. Take away the concepts/language, take away the very thing itself).Perpetual war, check.Attempts to centralize and overtake media, check.So on and so forth.George Orwell wasn't writing about some parallel world where the unthinkable happened, I'm sure he anticipated all of this would happen.It's so much more palatable when fed with a spoonful of sugar to help it go down.

Originally posted by Chuckstar:Well people... everything discussed (except for some of the lapses related to reporting) is completely legal -- at least under current precedent. The courts ruled this is no different than law enforcement actually following you (completely legal) or getting a list of phone numbers you dialed (which also falls into the same meta-data zone).

Two points:

1) There is a universe of difference between this and having the cops follow you around. It is expensive to pay someone to conduct in person physical surveillance and that provides a serious check on some of the worst abuses.

2) Nobody is suggesting that this is a crime. The reason everyone is pissed off and complaining about this is BECAUSE it is legal. This is exhibit A in how screwed up current 4th amendment jurisprudence is.

So...ducktape your phone to a dog, let it run around, then go and buy one of the disposable cell phones.

What I don't understand is: what is Sprint's financial incentive for running such an operation? >100 employees and all this infrastructure has to be expensive. Are they being paid by the government for access to these services?